From 7d59f3cdb1053f2b277cbca2d699654e071405cc Mon Sep 17 00:00:00 2001 From: Jurn Wubben Date: Sun, 20 Jul 2025 15:18:39 +0200 Subject: [PATCH 1/5] server zitadel: init --- secrets/default.nix | 1 + secrets/secrets.nix | 1 + secrets/zitadel.age | 15 +++++++++++++++ system/server/default.nix | 1 + system/server/zitadel.nix | 26 ++++++++++++++++++++++++++ 5 files changed, 44 insertions(+) create mode 100644 secrets/zitadel.age create mode 100644 system/server/zitadel.nix diff --git a/secrets/default.nix b/secrets/default.nix index 99356d8..3aa47f4 100644 --- a/secrets/default.nix +++ b/secrets/default.nix @@ -36,5 +36,6 @@ in { # else "root"; file = ./mail-admin.age; }; + zitadel.file = ./zitadel.age; }; } diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 2db3699..1ed79c2 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -20,4 +20,5 @@ in { "matrix-registration.age".publicKeys = keys; "cloudflare-acme.age".publicKeys = keys; "mail-admin.age".publicKeys = keys; + "zitadel.age".publicKeys = keys; } diff --git a/secrets/zitadel.age b/secrets/zitadel.age new file mode 100644 index 0000000..9a647df --- /dev/null +++ b/secrets/zitadel.age @@ -0,0 +1,15 @@ +age-encryption.org/v1 +-> ssh-ed25519 GQzYWA fz19CbZPbHDcTz3uKZwJPn5ZN4cvl7GcED5eG0D+ElM +HHCdqkDUcqK4Oo+AGp04q3nVJs2KpeIM3ZwKwOsPWYo +-> ssh-ed25519 MfR7VA IXjIOdECEgdKvxs3K2lYVhqHa6IbGYhciFlPamEl9AQ +HVDNbo0Y8rAHy2nUiiP11XKcJ5AdEGhQQt30GCdve1E +-> ssh-ed25519 +cvRTg ipfUrJdALMna/5EQfLzAo28r65e1W62P5FzSxqSkYCI +qzhYJjzB6NsHa0obHsyD3nylsucBcIcWFcJ8g/P1HHo +-> ssh-ed25519 WCPLrA fAWkqW/ucxI8d+92obW2j1X3+FC/HfR32JGl/jEbUwQ +CVxiMB5COMiikBiubXJlzNAmq2KIpiqBUPgks5bD/3Y +-> ssh-ed25519 7/ziYw vdFHVmAee1B7y7dG9JsV0Q5oJAHkARCwcjZAyAzCuRY +8BMNoikJKNPdxxk61A/zgRykiFGgNu7JUCm+Hhdy9Vw +-> ssh-ed25519 VQy60Q SUSqfYDbeljqVLip253DQtxcag48UYVkUQDZ+6mA1n4 +j3zzmyOADOQprP8/db/Q8iswQucbjgylpt3s4GnHR2A +--- v9F0L3av1OwiVGZfhdGzM0NCsg9j611ihVaKlmHpdoY +ƺB2ҕ_bw2"roc \ No newline at end of file diff --git a/system/server/default.nix b/system/server/default.nix index 001c25f..55ee537 100644 --- a/system/server/default.nix +++ b/system/server/default.nix @@ -10,6 +10,7 @@ ./matrix.nix ./seafile.nix ./temp.nix + ./zitadel.nix ]; options.niksos.server = lib.mkEnableOption "server servcies (such as caddy)."; #TODO: per service option. } diff --git a/system/server/zitadel.nix b/system/server/zitadel.nix new file mode 100644 index 0000000..f3fd8e0 --- /dev/null +++ b/system/server/zitadel.nix @@ -0,0 +1,26 @@ +{ + config, + lib, + ... +}: let + ExternalDomain = "z.jsw.tf"; + Port = 9000; +in { + config = + lib.mkIf config.niksos.server + { + services.caddy.virtualHosts.${ExternalDomain}.extraConfig = '' + reverse_proxy localhost:${builtins.toString Port} + ''; + + services.zitadel = { + enable = true; + masterKeyFile = "/etc/default/zitadel"; + settings = { + inherit Port ExternalDomain; + ExternalPort = 443; + }; + extraSettingsPaths = [config.age.secrets.zitadel.path]; + }; + }; +} From 53fb8e06dc22442db40e2d3e00ee63cffc985f1c Mon Sep 17 00:00:00 2001 From: Jurn Wubben Date: Sun, 20 Jul 2025 15:34:59 +0200 Subject: [PATCH 2/5] Added zitadel masterkey + rewritten agenix secrets module. --- .locksverify | 0 secrets/default.nix | 64 +++++++++++++++++++-------------------- secrets/secrets.nix | 2 +- secrets/zitadel-key.age | 15 +++++++++ system/server/zitadel.nix | 2 +- 5 files changed, 49 insertions(+), 34 deletions(-) create mode 100644 .locksverify create mode 100644 secrets/zitadel-key.age diff --git a/.locksverify b/.locksverify new file mode 100644 index 0000000..e69de29 diff --git a/secrets/default.nix b/secrets/default.nix index 3aa47f4..642ae61 100644 --- a/secrets/default.nix +++ b/secrets/default.nix @@ -1,41 +1,41 @@ -{config, ...}: let +{ + config, + lib, + ... +}: let + inherit (lib) mkIf; + inherit (config.niksos) server; + serviceUser = x: config.systemd.services.${x}.serviceConfig.User; + abstrServiceUser = x: config.services.${x}.user; in { age.secrets = { - transferSh = { - file = ./transfer-sh.age; - owner = "jsw"; - }; - dcbot = { - file = ./dcbot.age; - owner = - if config.niksos.server - then serviceUser "dcbot" # "dcbot" doesn't exist on e.g laptop. - else "root"; - }; - bread-dcbot = { - file = ./bread-dcbot.age; - owner = - if config.niksos.server - then serviceUser "bread-dcbot" # "dcbot" doesn't exist on e.g laptop. - else "root"; - }; password.file = ./password.age; - matrix-registration = { - file = ./matrix-registration.age; - owner = - if config.niksos.server - then config.services.matrix-continuwuity.user - else "root"; + + # NOTE: server things + dcbot = mkIf server { + file = ./dcbot.age; + owner = serviceUser "dcbot"; # }; - cloudflare-acme.file = ./cloudflare-acme.age; - mail-admin = { - # owner = #FIXME: revert when stopped using docker for stalwart. - # if config.niksos.server - # then serviceUser "stalwart-mail" - # else "root"; + bread-dcbot = mkIf server { + file = ./bread-dcbot.age; + owner = "bread-dcbot"; + }; + matrix-registration = mkIf server { + file = ./matrix-registration.age; + owner = abstrServiceUser "matrix-continuwuity"; + }; + mail-admin = mkIf server { + # owner = serviceUser "stalwart-mail"; #FIXME: revert when stopped using docker for stalwart. file = ./mail-admin.age; }; - zitadel.file = ./zitadel.age; + zitadel = mkIf server { + file = ./zitadel.age; + owner = abstrServiceUser "zitadel"; + }; + zitadel-key = mkIf server { + file = ./zitadel-key.age; + owner = abstrServiceUser "zitadel"; + }; }; } diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 1ed79c2..032f1bb 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -18,7 +18,7 @@ in { "dcbot.age".publicKeys = keys; "bread-dcbot.age".publicKeys = keys; "matrix-registration.age".publicKeys = keys; - "cloudflare-acme.age".publicKeys = keys; "mail-admin.age".publicKeys = keys; "zitadel.age".publicKeys = keys; + "zitadel-key.age".publicKeys = keys; } diff --git a/secrets/zitadel-key.age b/secrets/zitadel-key.age new file mode 100644 index 0000000..2eba485 --- /dev/null +++ b/secrets/zitadel-key.age @@ -0,0 +1,15 @@ +age-encryption.org/v1 +-> ssh-ed25519 GQzYWA 8s7XBtsT4aMey1VsjyPuiR9A23iGVgJlG2Dkw5Bvozo +0GWZoueNk/hDnytLuHHFY2k+iL+Ine1wIYwQFiq7KCs +-> ssh-ed25519 MfR7VA dzd732h24b07RcrrRc+P0X1NK976C3K3oU2qDmq9QG0 +6OeYdwuHemkFHrjbOQ/RFmMdsEt8OqIq5vgILNFTI6c +-> ssh-ed25519 +cvRTg /KyYAI4kuFrZ6kr8tRBe9RSyrWIpzk7zJWshoYm+k10 +Eouuif3FzeKtCldyWDzD/eEj4A1lUrXFw3R/oEm8VgE +-> ssh-ed25519 WCPLrA Z3Pw+BpqAB41FatChu2fTa7WEf1Px1aCyfQ3hgQpxS0 +CeooAiiIKhMT+apVorjV4bmbupESh3g4oSijGQqe1jA +-> ssh-ed25519 7/ziYw 8v7lxtYQ++YPwxsvz7AokGHc1TBoF+NLon9BbvK+w3c +SIlKY5qwo1jsKnP1jfoQjHU77XWfJ5Emy5Nni2qPx5E +-> ssh-ed25519 VQy60Q teT6TQxAYDs09h8T9BnofmInTLQQ2PWN7qeS8CYDfHE +7KE9Fpdd+OBVs4F5wp+lBRSJTLZHbrxy8rz+2pbbZ34 +--- aRYzmVbztYklpEcpALzft6JXe4ehgRMo9JfgloHP69s +F9Yay|Wު5Z9kL$;L%zklSIZdyG;ȖB o \ No newline at end of file diff --git a/system/server/zitadel.nix b/system/server/zitadel.nix index f3fd8e0..646b8d2 100644 --- a/system/server/zitadel.nix +++ b/system/server/zitadel.nix @@ -15,7 +15,7 @@ in { services.zitadel = { enable = true; - masterKeyFile = "/etc/default/zitadel"; + masterKeyFile = config.age.secrets.zitadel-key.path; settings = { inherit Port ExternalDomain; ExternalPort = 443; From e8915cfded74ef520392ce92e8dd5cbfe75bf35d Mon Sep 17 00:00:00 2001 From: Jurn Wubben Date: Sun, 20 Jul 2025 15:49:11 +0200 Subject: [PATCH 3/5] Added zitadel database and default user. Removed zitadel encrypted config file --- secrets/default.nix | 4 --- secrets/secrets.nix | 1 - secrets/zitadel.age | 15 -------- system/server/zitadel.nix | 74 +++++++++++++++++++++++++++++++++++---- 4 files changed, 67 insertions(+), 27 deletions(-) delete mode 100644 secrets/zitadel.age diff --git a/secrets/default.nix b/secrets/default.nix index 642ae61..2e96df6 100644 --- a/secrets/default.nix +++ b/secrets/default.nix @@ -29,10 +29,6 @@ in { # owner = serviceUser "stalwart-mail"; #FIXME: revert when stopped using docker for stalwart. file = ./mail-admin.age; }; - zitadel = mkIf server { - file = ./zitadel.age; - owner = abstrServiceUser "zitadel"; - }; zitadel-key = mkIf server { file = ./zitadel-key.age; owner = abstrServiceUser "zitadel"; diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 032f1bb..5f4df5c 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -19,6 +19,5 @@ in { "bread-dcbot.age".publicKeys = keys; "matrix-registration.age".publicKeys = keys; "mail-admin.age".publicKeys = keys; - "zitadel.age".publicKeys = keys; "zitadel-key.age".publicKeys = keys; } diff --git a/secrets/zitadel.age b/secrets/zitadel.age deleted file mode 100644 index 9a647df..0000000 --- a/secrets/zitadel.age +++ /dev/null @@ -1,15 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 GQzYWA fz19CbZPbHDcTz3uKZwJPn5ZN4cvl7GcED5eG0D+ElM -HHCdqkDUcqK4Oo+AGp04q3nVJs2KpeIM3ZwKwOsPWYo --> ssh-ed25519 MfR7VA IXjIOdECEgdKvxs3K2lYVhqHa6IbGYhciFlPamEl9AQ -HVDNbo0Y8rAHy2nUiiP11XKcJ5AdEGhQQt30GCdve1E --> ssh-ed25519 +cvRTg ipfUrJdALMna/5EQfLzAo28r65e1W62P5FzSxqSkYCI -qzhYJjzB6NsHa0obHsyD3nylsucBcIcWFcJ8g/P1HHo --> ssh-ed25519 WCPLrA fAWkqW/ucxI8d+92obW2j1X3+FC/HfR32JGl/jEbUwQ -CVxiMB5COMiikBiubXJlzNAmq2KIpiqBUPgks5bD/3Y --> ssh-ed25519 7/ziYw vdFHVmAee1B7y7dG9JsV0Q5oJAHkARCwcjZAyAzCuRY -8BMNoikJKNPdxxk61A/zgRykiFGgNu7JUCm+Hhdy9Vw --> ssh-ed25519 VQy60Q SUSqfYDbeljqVLip253DQtxcag48UYVkUQDZ+6mA1n4 -j3zzmyOADOQprP8/db/Q8iswQucbjgylpt3s4GnHR2A ---- v9F0L3av1OwiVGZfhdGzM0NCsg9j611ihVaKlmHpdoY -ƺB2ҕ_bw2"roc \ No newline at end of file diff --git a/system/server/zitadel.nix b/system/server/zitadel.nix index 646b8d2..1484a25 100644 --- a/system/server/zitadel.nix +++ b/system/server/zitadel.nix @@ -13,14 +13,74 @@ in { reverse_proxy localhost:${builtins.toString Port} ''; - services.zitadel = { - enable = true; - masterKeyFile = config.age.secrets.zitadel-key.path; - settings = { - inherit Port ExternalDomain; - ExternalPort = 443; + # services.zitadel = { + # enable = true; + # masterKeyFile = config.age.secrets.zitadel-key.path; + # settings = { + # inherit Port ExternalDomain; + # ExternalPort = 443; + # }; + # extraSettingsPaths = [config.age.secrets.zitadel.path]; + # }; + systemd.services.zitadel = { + requires = ["postgresql.service"]; + after = ["postgresql.service"]; + }; + + services = { + zitadel = { + enable = true; + masterKeyFile = config.age.secrets.zitadel-key.path; + settings = { + inherit Port ExternalDomain; + ExternalPort = 443; + Database.postgres = { + Host = "/var/run/postgresql/"; + Port = 5432; + Database = "zitadel"; + User = { + Username = "zitadel"; + SSL.Mode = "disable"; + }; + Admin = { + Username = "zitadel"; + SSL.Mode = "disable"; + ExistingDatabase = "zitadel"; + }; + }; + ExternalSecure = true; + }; + steps.FirstInstance = { + InstanceName = "jsw"; + Org = { + Name = "jsw"; + Human = { + UserName = "jsw@jsw.tf"; + FirstName = "Jurn"; + LastName = "Wubben"; + Email.Verified = true; + Password = "changeme"; + PasswordChangeRequired = true; + }; + }; + LoginPolicy.AllowRegister = false; + }; + openFirewall = true; + }; + + postgresql = { + enable = true; + enableJIT = true; + ensureDatabases = ["zitadel"]; + ensureUsers = [ + { + name = "zitadel"; + ensureDBOwnership = true; + ensureClauses.login = true; + ensureClauses.superuser = true; + } + ]; }; - extraSettingsPaths = [config.age.secrets.zitadel.path]; }; }; } From a0905f93b1d9f788ab3762f8aaa120ec97beecb4 Mon Sep 17 00:00:00 2001 From: Jurn Wubben Date: Sun, 20 Jul 2025 15:54:50 +0200 Subject: [PATCH 4/5] Updated zitadel key --- secrets/zitadel-key.age | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/secrets/zitadel-key.age b/secrets/zitadel-key.age index 2eba485..f5751e4 100644 --- a/secrets/zitadel-key.age +++ b/secrets/zitadel-key.age @@ -1,15 +1,15 @@ age-encryption.org/v1 --> ssh-ed25519 GQzYWA 8s7XBtsT4aMey1VsjyPuiR9A23iGVgJlG2Dkw5Bvozo -0GWZoueNk/hDnytLuHHFY2k+iL+Ine1wIYwQFiq7KCs --> ssh-ed25519 MfR7VA dzd732h24b07RcrrRc+P0X1NK976C3K3oU2qDmq9QG0 -6OeYdwuHemkFHrjbOQ/RFmMdsEt8OqIq5vgILNFTI6c --> ssh-ed25519 +cvRTg /KyYAI4kuFrZ6kr8tRBe9RSyrWIpzk7zJWshoYm+k10 -Eouuif3FzeKtCldyWDzD/eEj4A1lUrXFw3R/oEm8VgE --> ssh-ed25519 WCPLrA Z3Pw+BpqAB41FatChu2fTa7WEf1Px1aCyfQ3hgQpxS0 -CeooAiiIKhMT+apVorjV4bmbupESh3g4oSijGQqe1jA --> ssh-ed25519 7/ziYw 8v7lxtYQ++YPwxsvz7AokGHc1TBoF+NLon9BbvK+w3c -SIlKY5qwo1jsKnP1jfoQjHU77XWfJ5Emy5Nni2qPx5E --> ssh-ed25519 VQy60Q teT6TQxAYDs09h8T9BnofmInTLQQ2PWN7qeS8CYDfHE -7KE9Fpdd+OBVs4F5wp+lBRSJTLZHbrxy8rz+2pbbZ34 ---- aRYzmVbztYklpEcpALzft6JXe4ehgRMo9JfgloHP69s -F9Yay|Wު5Z9kL$;L%zklSIZdyG;ȖB o \ No newline at end of file +-> ssh-ed25519 GQzYWA YUoGdx518q+GhqnOVeuHxWE4//2KgVTXJCu4ULUkly8 +XIxa/FaGC5XBcrsvhZq5rOgX5vNDfFvcDCsamN7vHJ8 +-> ssh-ed25519 MfR7VA 9btD5WmqZdQ54uJYVNwU3Z5DBIlACbYfqGe1wPZwd30 +QecwT2R+BkQrGmorYcMuXHyy/TG7JjBdH2fp3W9zCBU +-> ssh-ed25519 +cvRTg UZnkgS+9oRLgEI/vdLFIAPbUG4V5iAuB4Z74D/quXzE +vxWJZI/SZKH1j8bnI4xC8+TIIANqMOkIDej+BWzDJwE +-> ssh-ed25519 WCPLrA OVnublQtCOFFo7+vcKGmCY3B3FkvLvQ6GaU7xMx8uQY +PuMamZqF3vCqgmpcTGQinIdbjOOpHtrmKfOXlL924Rk +-> ssh-ed25519 7/ziYw nYxpO5kaGDOyGUEFxryEhT0XqWf0Oc1RgprYaPjC33c +UseYaBeWvetviCf1FHncVNko86ji+GX9AdyDic2A1Og +-> ssh-ed25519 VQy60Q ok1oP3f7nWBd/6DyJFDnsv/Lb2/bwHY0cvmHI386IFM +t5rIZBUz5jav6tUo01ASMzYtHoW4+cKBZ2lzmxSI7IA +--- NZ9UXYlEIcw3VPFqDswXhSecW1zqcCeKivJoHC1zKA8 +JqU0]D_Տz =1׶S!-.t="緿e Date: Sun, 20 Jul 2025 15:58:47 +0200 Subject: [PATCH 5/5] Zitadel: default changeme password wasn't strong enough --- system/server/zitadel.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system/server/zitadel.nix b/system/server/zitadel.nix index 1484a25..7bd32a7 100644 --- a/system/server/zitadel.nix +++ b/system/server/zitadel.nix @@ -59,7 +59,7 @@ in { FirstName = "Jurn"; LastName = "Wubben"; Email.Verified = true; - Password = "changeme"; + Password = "Changeme1!"; PasswordChangeRequired = true; }; };